Cracking HawkEye Keylogger Reborn

I had never heard of ‘HawkEye Keylogger’ until I’ve read the following blog post from Trustwave. I’ve found the amount of features quite interesting and I was curious to have a closer look at the source code.

After some research it seems this Keylogger has been successfully used in some campaigns in the past and it is still being actively used.

Actually ‘HawkEye’ is best known in the AV industry by ‘Golroted’. In fact it seems that ‘HawkEye’ was using a different name before, ‘Predator Keylogger’, as you can see in this post from stopmalvertising. I’m not sure if the author(s) behind them are the same. The source code might have been shared/sold among some malicious software writers.

After a bit of digging I could also find some previous versions of ‘HawkEye’ cracked. However, it seemed, at first, that the previous versions were a bit different from the latest ‘Reborn’ version. ‘HawkEye’ didn’t look an advanced piece of malware and the authors/sellers apparently are doing a sloppy job. The lesson here is even a sloppy malware writers can make a profit without hiding themselves that much.

While searching the web I’ve found a few ‘HawkEye’ technical analysis (see references at the end of this blog post), and while poking around I ended on the home page of ‘HawkEye’. It is sold for more or less $35, depending on each type of license you are interested in. At the time of this writing the home page is down, it should come up again at some point. During the last month I noticed that it goes down and comes back from time to time.

So I had access to the “potential” builder and not only to the samples that were collected on the wild and mentioned on the technical articles I’ve found. So I decided to have a look and opened it in CFF Explorer.

CFF Explorer is like PEStudio for .net assemblies and it tells us that this file is indeed a .net binary.

Dynamic Analysis

So I downloaded it and ran it on a VM. No anti-VM techniques were in use, at least none able to detected my VMware based virtual lab. If ‘HawkEye’ doesn’t have access to the Internet the program will throw an Exception and writes a file ‘loader.log’ on the same directory from where the exe was launched.

8/1/2016 6:41:35 PM
The operation has timed out
at System.Net.WebClient.DownloadDataInternal(Uri address, WebRequest& request)
at System.Net.WebClient.DownloadString(Uri address)
at System.Net.WebClient.DownloadString(String address)
at HawkEyeKeyloggerReborn.License.DownloadChecksums()
at HawkEyeKeyloggerReborn.License.Initialize()

Since I was monitoring the DNS queries I could see that it tries to resolve the host ‘seal.nimoru.com’. Ok, I fired up my Tor Proxy VM and this time I was presented with a login form, as shown below.

I did a quick search for ‘Net Seal’ (shown in the title bar of the login dialog box) but at this time I didn’t find anything (more on this later).

Reverse Engineering Managed Code

Managed code decompilers are the way to go when analysing .NET assemblies since they allow us to decompile the binary into source code. However, if the binary is obfuscated, this process can be a nightmare. Besides the managed code decompilers are not as amazing as you may think if you are dealing with complex projects. Almost all of them allow you to export the code, even to Visual Studio projects. Getting this projects to compile is a complete different story though. Based on my experience 99% of times it will not build and you have to deal with too many errors. Most of the errors are completely ‘alien’. Still, decompilers are great.

So I loaded ‘HawkEye Keylogger - Reborn.exe’ in ILSpy, I could see the file was encrypted/obfuscated with a module called ‘MindZero v0.5.0-custom’.

I looked around but I couldn’t find any reference to MindZero .net code packer/obfuscator or anything close on the Internet. I tried a couple of tools in order to try to identify the packer/obfuscator used. Some wrongly indicated that Confuser was used.

The only methods exposed, as you can see bellow, were ZeroMind(), Zero(), Mind(), Decompress(), and a few others.

The method Zero() and ZeroMind() were quite interesting. One of the immediate things I noticed was the use of Reflection and LoadModule. More on this later.

After reading quite a lot about .net binaries Reverse Engineering (see the ‘References’) I decided to use first a memory dumper and then go from there.

So I used ‘MegaDumper 1.0 by CodeCracker / SnD’. You can find it in some Reverse Engineering Forums. Basically I executed ‘HawkEye Keylogger - Reborn.exe’, fired ‘MegaDumper’, selected the process corresponding to ‘HawkEye’ (stuck on the ‘Net Seal’ login prompt) and selected the option to dump the loaded assembly.

The result was an interesting collection of executable and dll files.

I loaded almost every file in ILSpy and found some interesting things. The ‘Cure.exe’ was the vacine to ‘HawkEye’. Meaning if you infected a computer and you want to clean it you should run this file. Here’s the interesting code showing some of the IOCs already mentioned in some of the articles I mentioned before.

Other interesting file was ‘License.dll’. I loaded it in ILSpy and got the following message:

So it seems ‘SmartAssembly 6.9.0.114 obfuscator’ was used, at least in some PE files that are part of the whole package. However, even after cleaning it I couldn’t make much sense of the code… The amount of goto’s indicates that the file is still obfuscated, so or either SmartAssembly was incorrectly detected or the deobfuscator didn’t work. I didn’t spend much time with this though.

One of the dumped ‘HawkEye Keylogger - Reborn.exe’ files was smaller than the original, however after loading it in ILSpy I could see it was still packed and all his functionality appeared the same. By running it I was again stuck in the ‘Net Seal’ login prompt.

It is interesting to notice that if this file was using some evasion techniques it would have exited long before we have finished. So this behaviour led me to conclude that if this ‘HawkEye’ version was using evasion techniques they were most likely not implemented correctly.

WinDBG to the rescue

In order to debug .net assemblies the best option is WinDBG with SOS and SOSEX together. However there is no IL code steping and it might be a bit hard to get into it. The IL opcodes are a bit scary, at least at first. Besides reversing .net malware is not well documented on the internet.

Before you start make sure you load Microsoft debugging symbols. Set your symbol path to Microsoft symbol server or just download the symbols locally. I usually have the symbols installed locally for obvious reasons, but it is completely up to you. I’m not going to show how to do it since this is widely documented. However this step is not optional.

The SOS extension is part of the .net framework and the SOSEX extension can be downloaded from here. You can install it anywhere you want, after firing WinDBG you need to load it the following way:

.load"F:\\sosex_32\\sosex.dll"

I’ll skip the steps to load and use SOS because you can do everything with SOSEX. However in a initial phase it was quite useful to get a better insight of this .net assembly.

As I mentioned before, one of the things I noticed when I first looked at the .net assembly in ILSpy was the use of Reflection and LoadModule. This method loads a Byte Array, hopefully deofuscated I thought. So with the help of SOSEX is quite easy to set a breakpoint on any method matching a pattern. So I decided to set a breakpoint on any method matching the pattern Assembly.Load:

!mbm*Assembly.Load*

When we run the binary CLR is initialized and WinDBG places breakpoints on all methods matching the pattern above. After the first breakpoint is hit you can see a complete list of breakpoints with:

If we check ECX register we should have our Byte Array ready to be dumped. The second DWORD (003e0400) corresponds to size of the Byte Array and the third DWORD (00905a4d) corresponds to the .net assembly. To dump this assembly we can use the ‘writemem’ command as follows:

.writememF:\sample.decrypted.exe00905a4dL?003e0400

But there’s an easier and 1337 way by using the poi() function. Pointer of integer function is used to get pointer-sized data. Think about the * operator for C and C++. By using poi() we just provide ecx+4 as its parameter and it will automatically take the value at that address and use it, rather than just using the value of ecx+4:

.writememF:\sample.decrypted.exe@ecx+8L?poi(@ecx+4)

I loaded the assembly in ILSpy and Bingo.

I now have access to the whole code. Under ‘Keylogger’ we can find the code for the ‘Builder’ of the samples that have been collected on the wild. As we can see, by looking only at the methods, the ‘Builder’ has loads of ‘cool’ stuff. ‘NewsFeed’, ‘Tutorial’, ‘BugReport’, ‘Bazaar’… it almost looks like a legit software.

After running the new binary I’m still stuck at the ‘Net Seal’ prompt login though. But now I have access to the code!

Cracking HawkEye Keylogger Reborn

So I need to bypass this login prompt which I guess it validates the license. Which options do I have? I can try to export the code and build it on Visual Studio…

Well, I tried… 738 errors! Good luck with that…

The only option is to patch the binary. Even though I’ll be dealing with IL code and not assembly code… it looks more fun than fix 738 build errors. Luckily there’s a really nice plugin for ILSpy and Reflector called Reflexil that allows you to binary patch the IL code “easily”.

After poking around the code for a while I’ve found an interesting method inside the class ‘License’ called ‘Initialize()’. It seems I’ll need to modify it.

There are two ways you can modify the code with Reflexil. An easy one and a hard one. The easy one allows you to modify directly the code in C# (or Visual Basic). The hard one allows you to modify directly the IL opcodes.

Of course I went for the easy one! But that didn’t work quite well…

It looks I’ll have to learn some IL code. I have tried to build some really small PoCs on Visual Studio to figure out the IL opcodes for simple things like:

returntrue;

Which is basically:

ldc.i4.1ret

However Reflexil makes it really easy, after poking around the code for a little while it looked like I only needed to delete instructions and not actually write any IL code.

So I deleted all the IL instructions from the methods ‘Initialize()’ and ‘Initialize(string)’ and saved the new file.

I’ve run it and… voila. Cracked?

Well… kind of. Because, if you try to use the ‘builder’… it does’t work.

The newest version of ‘HawkEye Keylogger’ has one big difference to the older ones that makes it a bit harder to crack. While the other cracked versions of ‘HawkEye Keylogger’ that I could find on-line (I mean the ones that work, because some don’t…) have the actual keylogger embedded as a Resource. However this ‘Reborn’ version doesn’t have the keylogger binary embedded as a Resource any more. Instead, during runtime the keylogger executable is downloaded from ‘http://seal.nimoru.com/Base/getFile.php’. The author’s intention is clearly avoid cracking. Look at the following ‘builder’ code under the ‘Menu’ class.

As we can see the download of the file depends on code from the ‘Net Seal’ authentication mechanism that we bypassed since we don’t have an account. Anyway we can see what’s going on here by looking at the ‘Cloud’ method.

I started looking around the code again to see what I could do. I though the easiest way was using a local sample of the keylogger and read its bytes directly into ‘MyProject.Forms.Keylogger.stubBytes’. To do this I need to find a proper place and write some IL code. It seems I can’t go away without writing IL code. Fun.

I used the same approach as before, launched Visual Studio and wrote more or less what I needed:

Then I started looking at the IL instructions of ‘GetStub’ method from the ‘Menu’ class…

I’ve found what it looked like a possible place for my IL code at ‘Menu_Load’ method on the ‘Menu’ class and rewrote it as shown bellow:

Saved the new file and gave it a try…

Yes, now it works. You need to place the ‘keylogger’ sample on ‘C:\pwned.exe’, you can change it but I’ll leave that as an exercise for you. Note that you also need ‘Mono.Cecil.dll’ installed on your system or simply on the same directory as our final cracked version or the program will crash with an ‘System.IO.FileNotFoundException’. If you use Procmon you can easily identify what’s missing…

You already have ‘Mono.Cecil.dll’, look at the dumps from ‘MegaDumper’ so… Mission Accomplished!

I’m not sharing the cracked version. However, you can visit the links I mention above and with all the information here you should be able to get the ‘job done’ or even do a better job.

HawkEye Builder Features and Code

The builder presents the user with multiple options. We can contact support via email as shown bellow.

The must read option simply opens the browser and redirects the user to the ‘HawkEye’ home page.

The tutorial displays the only video the author has for ‘HawkEye Keylogger Reborn’. That you can also see on YouTube.

The Bazaar has more software for interested buyers. More keyloggers in case one is not enough, crypters, and apparently a RAT and an MS Word exploit are in the works.

Lastly and the actual relevant feature… the keylogger builder.

The code for the builder is quite big and basically replaces some assemblies with the configuration the user chooses.

Nothing really new.

Keylogger

Most of this ‘HawkSpy Keylogger Reborn’ features and IOCs have already been discussed on the technical articles I point on the ‘References’ section, so I’ll not waste too much time going over them again.

However, one interesting thing to notice is that even after having his keylogger exposed and cracked on the Internet the author is too lazy to change simple things as the secret key and salt used for configuration settings encryption. Well, to be fair it will not make any difference anyway.

As you can see the secret is still the same as in previous versions.

And the salt too.

With all this information is trivial to decrypt the keylogger settings.

You can use the following small decryption method I wrote in C# to get the configuration.

Since getting access to the configuration of the samples being used in the wild is pretty easy I would avoid using it for ‘serious’ stealthy operations.

Note that ‘bob@mail.lab.org’ is just a local e-mail of my internal lab mail server (mail.lab.org).

For more details and IOCs I recommend you to read the Trustwave, Malwaredigger and blog.idiom.ca, all listed in the ‘References’ section. There’s no point describing the same thing that have already been described since the only thing that as really changed in this ‘Reborn’ version is the fact that the actual keylogger is now being downloaded from the Internet in real time and it is not embedded as a ‘Resource’ any more.

People behind ‘HawkEye Keylogger’ and other variants

Apparently many eventually “talented” software developers think they can get away with writing, selling and supporting malicious software. The true is it seems that some of the people behind this keylogger have been around for quite some time. Before ‘HawkSpy.net’ the domain hawkeyeproducts.com was used and it is not hard to track their operations back to 2013/2014 but I’ll leave that for you as an exercise if you feel like it.

One thing I later found is that this ‘Net Seal’ software is/was also being distributed on hackforums as you can see here and here. You might want to look at it if you have some free time.